tag:blogger.com,1999:blog-13756280.post4198629877432258432..comments2016-12-09T01:59:45.321-08:00Comments on Jeremiah Grossman: Quick Wins and Web Application SecurityJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-13756280.post-18534992493983102032009-04-12T16:56:00.000-07:002009-04-12T16:56:00.000-07:00"A similar option is desperately needed from the s..."A similar option is desperately needed from the software development side of Web application security field." <BR/><BR/>While a solution for code reviews that offers effective (not automated code scanners), yet efficient (not manual reviews) would be wonderful, and might be just the ticket to offer quick and measurable results - much like Sentinel on the PT side, or VA+WAF - this has not been possible... <BR/>Until very recently. I recently launched our CODEFEND service, offering just that. We can quickly get in deep in the code, and offer fast responses, down to "fix this line and change to that". And as soon as this is implemented by the programmer, we can verify the fix and show some hard numbers on the code's security. <BR/><BR/>And yes, it is scalable. :-) <BR/><BR/>(forgive the semi-marketing-speak, but I believe its in all our interest)Avi Douglenhttp://www.codefend.com/noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-81786428127672841542009-04-08T08:39:00.000-07:002009-04-08T08:39:00.000-07:00I think that if time was spent in creating an effe...I think that if time was spent in creating an effective risk determination methodology that is repeatable, it should give management enough of a mechanism to report progress. I can understand that CIO's need to justify their security initiatives, and they should to ensure that the best thing is being done for the organization, but using risk as the ammunition for this justification should allow for <B>ALL</B> initiatives to be be justified and to ensure a proper return.Joshuahttp://www.blogger.com/profile/06933116797026353050noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-58206901251719464102009-03-31T10:33:00.000-07:002009-03-31T10:33:00.000-07:00... but SDLC is the right approach though. CIOs ma...... but SDLC is the right approach though. CIOs may not be able to launch company-wide SDLC program in short time frame, but they can start with pilots and proof of concepts on a chosen app. Done right the method will replicate "the right way" to the rest of the apps. Implementing WAFs we choose to abstract from the code even further. WAFs do not solve business rule violations leading to funds transfer, for example. On the other hand, let's look back at a QA/Dev guy who is more than capable of instrumenting the code with security point probes on which the organization can report. For example, the function checking for validity may count the number of times "really bad" input was submitted and provide such statistics for ROI calculation. QA knows a lot more about code coverage and test harnesses than is being utilized by organization.dxsnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-74831453614602495652009-03-30T09:17:00.000-07:002009-03-30T09:17:00.000-07:00@Karen, you are exactly right. Recommended paths t...@Karen, you are exactly right. Recommended paths towards website security are going to "depend" on each organization. There in lies the problem, but I think we can all do better.<BR/><BR/>I've not personally seen any decent head to head WAF reviews lately. Essentially few are in business to actually do them anymore. Best we can expect is experiences shared by those who've tried them. If you are looking at a particular product, I can probably put you in touch with someone who has implemented such a device.Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-66020596159365411312009-03-29T03:31:00.000-07:002009-03-29T03:31:00.000-07:00The answer for this kind of questions presented di...The answer for this kind of questions presented differently by each company. Too many angels.<BR/>I'm still looking for a good comparison list of different WAF's solution.Karennoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-65904248943944482332009-03-20T11:19:00.000-07:002009-03-20T11:19:00.000-07:00This comment has been removed by the author.Andre Girondahttp://www.blogger.com/profile/17414510788948258195noreply@blogger.com